CN100393029C - Method for countermeasure in an electronic component using a secret key algorithm - Google Patents
Method for countermeasure in an electronic component using a secret key algorithm Download PDFInfo
- Publication number
- CN100393029C CN100393029C CNB008063486A CN00806348A CN100393029C CN 100393029 C CN100393029 C CN 100393029C CN B008063486 A CNB008063486 A CN B008063486A CN 00806348 A CN00806348 A CN 00806348A CN 100393029 C CN100393029 C CN 100393029C
- Authority
- CN
- China
- Prior art keywords
- random
- data item
- key
- prevention method
- opn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000004087 circulation Effects 0.000 claims description 45
- 230000002265 prevention Effects 0.000 claims description 40
- 238000012545 processing Methods 0.000 claims description 7
- 230000006835 compression Effects 0.000 claims description 5
- 238000007906 compression Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000013478 data encryption standard Methods 0.000 description 30
- 208000019585 progressive encephalomyelitis with rigidity and myoclonus Diseases 0.000 description 27
- 238000004364 calculation method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000000605 extraction Methods 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 241000233805 Phoenix Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000006386 neutralization reaction Methods 0.000 description 1
- 238000007634 remodeling Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000009291 secondary effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
- G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention concerns a countermeasure method in an electronic component using a secret key algorithm K on an input message M characterised in that the execution of an operation OPN or of a sequence of operations comprising manipulating bit by bit an input information D, to supply an output information OPN(D), comprises the following steps: drawing a random value, of one first random information U, of identical size as the input information D; calculating s second random information V, by performing an exclusive OR between the input information and the first random information U; executing the operation OPN or the sequence of operations successively to the first input information U and to the second random information V, supplying respectively a first random result OPN(U) and a second random result OPN(V).
Description
The present invention relates to a kind of prevention method in the electronic component that uses key.Under the situation that they are used to service and the visit of data are controlled by strictness.This element has based on microprocessor and memory and the architecture that forms comprises the program storage that contains key.
These elements especially are used in the smart card of some purposes.These purposes for example relate to certain database of visit, relate to banking, and the remote payment business is for example paid the TV expense, buy gasoline or expressway tol lcollection.
Therefore these elements or card use the cipher key cryptography algorithm, and wherein the most familiar is DES algorithm (data encryption standard commonly used in Britain and Americana).The key algorithm that also has other, for example RCS algorithm or COMP128 algorithm.Certainly be not limited to these algorithms.
Generally speaking and in brief, the function of these algorithms is by main system (server, bank's distributor etc.) put on the information of input (card) and the cipher key calculation information encrypted that in card, comprises, and return described information encrypted to main system, described information encrypted for example can make main system discriminating element or card, swap data or the like.The feature of cipher key cryptography algorithm is known: promptly calculate and utilize parameter.Unique the unknown be included in key in the program storage.All fail safes of these cryptographic algorithms are all relevant with this key that comprises in described card, and described key is unknown for the external world of described card.This key can not be derived uniquely from Given information that applies as input and the information encrypted of returning.
Yet,, analyze so that when calculating information encrypted when the microprocessor operation cryptographic algorithm of card according to current drain and differential current consumption, obviously, outside attack makes the third party who harbores evil intentions can find the key that comprises in described card.These decodings are called as DPA decodes, and this is the initial curtail word of English " Differential Power Analysis ".
The principle that described DPA decodes is based on such fact, and promptly the current drain of Zhi Hangzhiling microprocessor changes according to just processed data.
Especially, when the instruction carried out by microprocessor needs bit by bit deal with data, be 1 or 0 two kinds of different current curves to be arranged according to processed position.Typically say, if microprocessor processes 0 has the first consumed current amplitude, if microprocessor processes 1 then has the second consumed current amplitude different with first current amplitude when carrying out.
Thereby DPA decode to utilize during according to the value execution command of processed position the difference of current drain in described card.Briefly, carrying out DPA decodes and to comprise that the specific cycle of discern one or more operation algorithms, described algorithm comprise at least one instruction for processing data bit by bit of execution; During the described cycle, read very large several N of current drain curve, each different information has a curve of using described algorithm; For each curve, suppose a sub-key, promptly make the part of the key at least that can predict, a value of being got of prediction data; According to corresponding boolean's choice function curve is classified; Obtain prediction and be 1 the first curve bag and prediction and be 0 the second curve bag.By between two curve bags that obtain, averaging the differential analysis of current drain, obtain an information signal DPA (t).If sub-key supposition is incorrect, then in fact the quantity corresponding to handling 1 curve that comprises of each bag equals corresponding to the quantity of handling 0 curve.Thereby two to wrap on the current drain be equivalent, thereby information signal is 0 basically.If the sub-key supposition is correct, then in fact a bag comprises corresponding to the curve of handling 0, and in fact another bag comprises corresponding to the curve of handling 0; Information signal DPA (t) is not equal to 0: comprising the peak value that handle the position of being undertaken by microprocessor, classify according to described position.Handling 0 or 1 according to microprocessor, these peak values have corresponding to the value by the difference of microprocessor consumed current.Thereby, can solve the whole keys or a part of key that are included in the electronic component step by step.
Have many such key algorithms, microprocessor must be in deal with data bit by bit sometime when carrying out these algorithms.
Especially, described algorithm generally comprises the arrangement that requires microprocessor to carry out this processing.By analyzing the current drain during described processing execution by turn, just can obtain some value of processed at least data item.Know that this data item just can provide the information about the intermediate object program that obtains during the execution cryptographic algorithm, these feasible again some positions that can obtain used key at least.
These 3 files are similar with the present invention, but have following difference:
First file D1 " NTT Review; Vol.6; N4; of 1 July 1997; pages85-90; Miyaguchi S: " Secret key ciphers that change theencipherment algorithm under the control of thekey ", XP000460342 " relates to a kind of solution of mathematical problem of decoding of the enciphered message that is used to avoid known.Described method changes the key list that the subdivision by the key in algorithm of any key algorithm translates.Yet this method is not suitable for the DES algorithm of standard, and this is a kind of key algorithm of knowing.Described in this document technology comprises carries out data rotations and data are alternative.
Second file D2 " Institute of Electrical and ElectronicsEngineers; IEEEE Global Telecommunications conference; Phoenix; Arizona; Nov.3-8; 1997, vol.2,3November 1997, pages689-693, Yi X et al: " A method for obtaining cryptographicallystrong 8X8 S-boxes ", XP000737626 " relate to the method that the S frame in a kind of DES algorithm that improves standard is handled; be intended to improve the fail safe of cryptanalysis value, promptly belong to mathematical problem, rather than the cryptography of physics.
The 3rd file D3 " FR-A-2 672 402 " relates to a kind of method and apparatus that uses the DES algorithm formation randomizer of standard.Described DES algorithm is a kind of key algorithm, wherein utilizes for example data of counter, be intended to as output produce can with random number result relatively, be positioned at the result of DES outside.
The objective of the invention is to by providing the precautionary measures the data of handling by turn; promptly by scrambling; make analysis at the current drain during the processing of described data can not disclose information: no matter the sub-key of supposition or key are how in DPA decodes about described data; information signal DPA (t) will be always 0, thereby protect these data.
As claimed in claim, the present invention relates to utilize prevention method in the electronic component of cryptographic algorithm of key K in use.
According to the present invention, described prevention method is used for importing that data item is carried out and comprising operation or the sequence of operations that at least one is handled by turn, described method comprises the at first extraction first random data item identical with the length of first data item, calculate the second random data item by between the first random data item and input data item, carrying out XOR, then the first random data item and the second random data item are operated or sequence of operations.
In this way, the random data item is only handled in described operation or sequence of operations, thereby can realize that no longer DPA decodes.
In order to obtain corresponding to the dateout item of the input data item being used series of steps, the XOR between the result is just enough at random to calculate first and second.
In using the first method of this prevention method, operation or sequence of operations relate to by the data item of wanting encrypted information calculations.
In second method of using according to prevention method of the present invention, this method is applied to the directly operation relevant with key, uses sub-key in each circulation of described algorithm.
In the method for using according to prevention method of the present invention, take measures to make and realize according to the method described above first series of steps, make to obtain first sub-key and second sub-key at random at random.
In this remodeling, for relevant circulation, replace to calculate genuine sub-key, use these sub-keys at random, so the genuine sub-key of each circulation occurs no longer clearly, only handle sub-key at random.
Thereby the difference of the present invention and documents D1 is that it relates to DES and does not change its structure, has not both changed its input, does not also change its output.Use therein XOR described below makes it possible to shield described data with random parameter.
The difference of the present invention and file 2 is that it relates to physics cryptography problem, and proposition promptly of the present invention is to solve the problem of implementing for the appearance (appearance) by quadratic effect (secondary effect); In addition, it does not relate to the S frame, and relates to the safety problem (referring to Fig. 1 described below) during compression, arrangement and the expansion in data.
At last and the difference of file D3 be that it uses the random number in the DES algorithm, the execution of protection DES exempts from all types of decodings.
Describe other features and advantages of the present invention with reference to the accompanying drawings in detail, described explanation only is used to illustrate the present invention, and is not used in restriction the present invention, wherein:
Fig. 1 and Fig. 2 are the detail flowcharts of first and second circulations of DES algorithm;
Fig. 3 schematically illustrate be applied to realize operation that data are handled by turn according to prevention method of the present invention;
First method according to prevention method of the present invention is used in Fig. 4 explanation when carrying out the DES algorithm;
Fig. 5 illustrates that schematically the execution of DES algorithm finishes; And
Fig. 6 schematically illustrates second method of operation that method of the present invention is applied to the DES algorithm of process key; And
Detail flowchart when Fig. 7 illustrates application corresponding to the prevention method of figure shown in Figure 6; And
Fig. 8 explanation wherein can be carried out the calcspar according to the smart card of prevention method of the present invention.
DES secret key cryptographic algorithm (hereinafter referred is DES or DES algorithm) comprises 16 computation cycles, as the T1 of Fig. 1 and Fig. 2 to shown in the T16.
DES is from an initial arrangement IP (Fig. 1) on input information M.Input information M is 64 words.After arranging, obtain 64 words, it is divided into two, thereby forms the input parameter L0 and the R0 of first circulation (T1).L0 is 32 word d, contains 32 highest significant positions of word e.R0 is 32 word h, contains 32 least significant bits of word e.
Key K is 64 word q, itself is arranged and is compressed, so that 56 word r are provided.
First circulation comprises carries out EXP PERM operation to parameters R 0, comprises expansion and arrangement, so that 48 words 1 as output are provided.
Described word 1 makes up with parameter K 1 in the xor operation of being represented by XOR, so that 48 word b are provided.By moving a position (operation that the SHIFT of Fig. 1 and Fig. 2 represents), obtain parameter K 1 by word r, it is 48 word m, thereby 48 word p are provided, and described word p is comprised arrange and the operation of compression (operation of being represented by COMP PERM).
Word b is provided for the operation of being represented by SBOX, obtains 32 word a at its output.This specific operation comprises provides the dateout a that gets from according to the table of the constant TC0 that imports data item b.
Word a is carried out and arranges P PERM, provides 32 word c as output.
Described word c provides 32 word g in the input parameter L0 combination of the XOR operation neutralization first circulation T1 that is represented by XOR as output.
The word h of first circulation (=R0) providing the input parameter L1 of circulation (T2) subsequently, the word g of first circulation provides the input parameter R1 of next circulation.The word p of first circulation provides the input r of next circulation.
Other circulation T2 carries out in a similar fashion to T16, and just shifting function makes an exception, and it carries out one or two position according to related circulation.
Thereby each circulation Ti receives the parameter L i-1 as input, Ri-1 and r, and the circulation Ti+1 that is used for the back as the parameter L i of output and Ri and r is provided.
At the end of DES algorithm (Fig. 4), the parameter L 16 and the R16 that are provided by last circulation T16 calculate information encrypted.
In fact the calculating of described information encrypted C comprise following operation:
-by putting upside down word L16 and R16 the position and link them and form 64 word e ';
-use and arrange IP
-1, the beginning of itself and DES is opposite, so that obtain to form 64 the word f ' of information encrypted C.
As can be seen, this algorithm comprises the operation of many deal with data bit by bit, for example arranges operation.
According to prevention method of the present invention, when the microprocessor that calculates information encrypted is carried out by turn processing, the application software prevention method.In this way, be applied to statistical disposition and boolean's choice function that the DPA of current drain curve decodes and no longer can provide any information; No matter how sub-key is supposed that signals DP A (t) remains 0.
Thereby according to software prevention method of the present invention make by microprocessor processes each the position become uncertain.
Fig. 3 illustrates the principle of this prevention method.
If the input data item is D.
If have an operation OPN that will calculate described input data item D, its result is represented by OPN (D).Described operation OPN need be handled input data item D by turn by microprocessor; For example arrange.
According to the present invention, not to input data item D commence operation OPN, so that the OPN as a result (D) of calculating operation, but different step below carrying out:
-get a random value as the first random entry U, the length identical (for example 32) of its length and input data item D;
-calculate the second random data item V:V=D XOR U by between the input data item and the first random data item, carrying out XOR;
-to the first random data item U calculating operation OPN, produce first OPN (U) as a result at random;
-to the second random data item V calculating operation OPN, produce second OPN (V) as a result at random;
-by carrying out XOR result of calculation OPN (D): OPN (D)=OPN (U) XOR OPN (V) at random between the result first and second.
This method can be applicable to single computing or a series of computing equally well.
Application relates to the operation of data that calculates by the information (M) of using described algorithm according to first method of prevention method of the present invention.In this case, input data item D is calculated by information M.
In fact, Fig. 4 shows an example of using first method of algorithm DES, and described method is applied to operate EXP PERM on the one hand, on the other hand, is applied to operate P PERM, and the two all comprises need be to importing the arrangement that data item is handled by turn.
In the figure, the prevention method of these operational applications is represented by CM (EXPPERM) and CM (P PERM).
According to software prevention method of the present invention, comprise that use stochastic variable U carries out computing CM (EXPPERM) and the CM (P PERM) according to the sequence of calculation shown in Figure 3, replaces each operation P PERM and EXP PERM.Because each circulation of described algorithm comprises computing EXP PERM and computing P PERM, this prevention method can be applied to each circulation of DES.
Experiment shows to have only 3 circulations and last 3 circulations can be subjected to DPA and decode.Then, predict that these are very difficult, or even impossible.
Thereby, needing less computing time according to prevention method of the present invention, its enforcement includes only 3 and last 3 circulations of carrying out DES.
Various application according to prevention method of the present invention relates to the extraction random value as the first random data item U.According to whether obtaining a large amount of computing times, can extract a new random value at every turn, be used to implement each computing or a series of computing according to prevention method of the present invention.
Thereby, in Fig. 4,, extract the value of U1 as random data item U for computing CM (EXP PERM), for computing CM (P PERM), extract another value U2 as random data item U.
Otherwise, can extract a new random value for each circulation of described algorithm, perhaps begin to extract a random value at algorithm.
Relevant according to the application that the enforcement of prevention method of the present invention is main with related, with whether to have a large amount of additional periods that can be used for taking precautions against relevant.
Fig. 6 shows second kind of application mode according to prevention method of the present invention.Wherein relate more specifically to calculating operation that key K is carried out, so that be provided at each the sub-key K1 that uses in the circulation of described algorithm.In the example of DES, these operations are KEY PERM then, its DES begin be performed and the SHIFT and the COMP PERM that carry out in each circulation.In these operating periods, at some constantly, the position of microprocessor individual processing key, thereby have the possibility of these being carried out the DPA decoding.
Be used for protected data item before carrying out these operations according to prevention method of the present invention, described in this case data item is a key, makes and no longer can decode acquired information by DPA.
Thereby, as Fig. 6 schematically shown in, extract the random value of the first random data item Y, it has the length identical with key K.By between the key K and the first random data item Y, carrying out XOR, calculate the second random data item Z with equal length; Z=K XOR Y.
In an example shown, the sequence of operation comprises operation KEY PERM then, SHIFT, COMP PERM.Then this sequence of operation sequential use each in two random data item Y and Z.Thereby, by this two data item Y and Z of being provided in succession as input, at operation KEY PERM, SHIFT, the output of COMP PERM obtains Y ', P respectively
IY ', K
IY 'Perhaps Z ', P
IZ ', K
IZ '
Shown in Figure 7 is a concrete instance of using DES.
In DES, only beginning to carry out a KEY PERM operation, and in each circulation, carrying out SHIFT, COMP PERM operation.
In addition, the output of the operation SHIFT of circulation Ti is as the input (seeing Fig. 1 and Fig. 2) of the operation SHIFT of next one circulation Ti+1.
In order to use prevention method, then random data Y and Z are used the first operation KEY PERM, random data Y ' and Z ' in the middle of this produces two according to second mode of using described DES algorithm.Random data is provided for the operation SHIFT of the first circulation T1 in succession in the middle of these two, produces two middle random data P
1Y 'And P
1Z 'These two random data are stored in the working storage on the one hand, are used for the SHIFT operation of next circulation (second circulation), are offered the operation EXP PERM of first circulation on the other hand in succession, so that the first intermediate object program K is provided
1Y 'And K
1Z '
In each circulation, all carry out these steps.Thereby at each circulation Ti, acquisition first is result: K at random
IY '=EXP PERM (SHIFT (Y ')) and second result: the K at random
IZ '=EXPPERM (SHIFT (Z ')); And middle random data SHIFT (Y ')=P
IY 'And SHIFT (Z ')=P
IZ 'Be stored in the circulation Ti+1 that is used in the working storage subsequently.
Then, for each circulation Ti, should be able to be by at two K as a result at random
IY 'And K
IZ 'Between carry out XOR, recomputate sequence of operation KEY PERM, the corresponding sub-key Ki of SHIFT and COMP PERM: Ki=K corresponding to this circulation that key K is carried out
IY 'XORK
IZ '
But, preferably as shown in Figure 7, no longer recomputate the sub-key Ki of circulation Ti.Use first K as a result at random
IY 'Replace with by the sub-key Ki that arranges among the xor operation XOR that extended operation EXP PERM data item 1 carries out.B ' as a result between the acquisition.
By to this intermediate object program b ' and second K as a result at random
IZ 'Carry out xor operation, try to achieve dateout item b=XO (1, Ki).Then in each circulation Ti execution operation subsequently, so that from 1 calculating parameter b: b '=1XOR K
IY ', and
B=b ' XOR K
IZ ', shown in first and second circulations of Fig. 7.
In this way, when calculating information encrypted, do not re-use sub-key itself, and use " sub-key at random ", this moment, key was protected, because K during carrying out cryptographic algorithm or before the execution cryptographic algorithm
IY ', K
IZ 'Be at random, the external world of element (or card) do not know, every new when carrying out cryptographic algorithm, they are changed easily.Should be noted that when being applied to calculating according to prevention method of the present invention and using sub-key random value only before key is operated, is extracted once when the beginning execution algorithm.
Can advantageously make up with first mode of utilizing described prevention method correctly to calculate information encrypted described second mode of cipher key application according to prevention method of the present invention, this combination makes described prevention method especially effective.
The present invention is applied to DES cipher key cryptography algorithm, and its example is illustrated in the above.The present invention can be common to any cipher key cryptography algorithm, wherein some action need of being carried out by microprocessor deal with data bit by bit.
Use in DES cipher key cryptography algorithm according to the electronic component 1 of prevention method of the present invention as shown in Figure 8, it comprises microprocessor μ P, program storage 2 and working storage 3.Have the device 4 that is used to produce random value, when carrying out cryptographic algorithm, 4 U and Y values (U is 32, and Y is 64) that Len req is provided with reference to figure 3 and flow chart shown in Figure 8 of described device.This element is specially adapted in the smart card 5, is used to improve its anti-tamper ability.
Claims (9)
1. one kind is used to the prevention method that prevents to decode by the differential analysis of current drain in the electronic component that uses the cryptographic algorithm of input information (M) being encrypted by key K, it is characterized in that, the operation of carrying out (OPN) comprises the processing by turn to input data item (D), so that the first dateout item (OPN (D)) is provided, described operation (OPN) may further comprise the steps:
Extract the random value of the first random data item (U), it has and the identical length of input data item (D);
Calculate the second random data item (V) by between the first random data item (U) and input data item, carrying out XOR;
Then carry out described operation (OPN) respectively, first result (OPN (U)) and second result (OPN (V)) at random at random is provided respectively by the first random data item (U) and the second random data item (V);
Calculate output described first data item (OPN (D)) by carrying out XOR at random between the result first and second.
2. prevention method as claimed in claim 1 is characterized in that it is applicable to expansion and arranges operation, and described expansion and arrangement operation are applicable to the data of being calculated by input information (M).
3. prevention method as claimed in claim 1 is characterized in that extracting new random value (U) when the described operation of each execution.
4. prevention method as claimed in claim 1 is characterized in that it is applicable to the encryption that described key (K) is carried out and arranges operation, shifting function and compression and the arrangement operation.
5. prevention method as claimed in claim 4, described cryptographic algorithm comprises a plurality of computation cycles, and comprise in each circulation (Ti) operation, shifting function and compression and arrangement operation is encrypted and arranged to key K, so that provide corresponding sub-key (K in each circulation (Ti)
i), described strick precaution algorithm is characterised in that, it is applicable to described encryption and arranges operation, shifting function and compression and the arrangement operation, so that provide the first result (K at random in each circulation
IY ') and the second result (K at random
IZ ').
6. prevention method as claimed in claim 5, each circulation (Ti) is carried out XOR between sub-key (Ki) and input data item (D),, it is characterized in that this operation is replaced by following operation so that the second dateout item (b) is provided:
-calculating described input data item (D) and first is result (K at random
IY ') between XOR, thereby the intermediate object program of providing (b ');
-calculate described intermediate object program (b ') and described second result (K at random
IZ ') between XOR, thereby the described second dateout item (b) is provided.
7. as claim 1,2,5 and 6 any one described prevention method is characterized in that extracting new random value when the described cryptographic algorithm of each execution.
8. prevention method as claimed in claim 3 is characterized in that extracting new random value when the described cryptographic algorithm of each execution.
9. prevention method as claimed in claim 1 is characterized in that it is applicable to the DES algorithm.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR99/01937 | 1999-02-17 | ||
| FR9901937A FR2789776B1 (en) | 1999-02-17 | 1999-02-17 | COUNTER-MEASUREMENT METHOD IN AN ELECTRONIC COMPONENT USING A SECRET KEY CRYPTOGRAPHY ALGORITHM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1630999A CN1630999A (en) | 2005-06-22 |
| CN100393029C true CN100393029C (en) | 2008-06-04 |
Family
ID=9542146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB008063486A Expired - Lifetime CN100393029C (en) | 1999-02-17 | 2000-01-20 | Method for countermeasure in an electronic component using a secret key algorithm |
Country Status (10)
| Country | Link |
|---|---|
| US (1) | US7471791B1 (en) |
| EP (1) | EP1198921B1 (en) |
| JP (1) | JP2002540654A (en) |
| CN (1) | CN100393029C (en) |
| AU (1) | AU3057500A (en) |
| DE (1) | DE60027163T2 (en) |
| ES (1) | ES2262502T3 (en) |
| FR (1) | FR2789776B1 (en) |
| MX (1) | MXPA01008201A (en) |
| WO (1) | WO2000049765A2 (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2000305453A (en) * | 1999-04-21 | 2000-11-02 | Nec Corp | Ciphering device, deciphering device, and ciphering and deciphering device |
| JP2002247025A (en) * | 2001-02-22 | 2002-08-30 | Hitachi Ltd | Information processor |
| JP4596686B2 (en) | 2001-06-13 | 2010-12-08 | 富士通株式会社 | Secure encryption against DPA |
| WO2006006199A1 (en) | 2004-07-07 | 2006-01-19 | Mitsubishi Denki Kabushiki Kaisha | Electronic element and data processing method |
| FR2916317B1 (en) * | 2007-05-15 | 2009-08-07 | Sagem Defense Securite | PROTECTION OF EXECUTION OF A CRYPTOGRAPHIC CALCULATION |
| FR2925968B1 (en) * | 2007-12-26 | 2011-06-03 | Ingenico Sa | MICROPROCESSOR SECURING METHOD, COMPUTER PROGRAM AND CORRESPONDING DEVICE |
| EP2553622B1 (en) | 2010-03-31 | 2020-10-21 | British Telecommunications public limited company | Secure data recorder |
| DE102010028375A1 (en) * | 2010-04-29 | 2011-11-03 | Robert Bosch Gmbh | Method for protecting functional cryptographic operations against side channel attacks for cryptography system in car, involves performing non-functional cryptographic operations supplementary to functional cryptographic operations |
| CN102110206B (en) * | 2010-12-27 | 2013-01-16 | 北京握奇数据系统有限公司 | Method for defending attack and device with attack defending function |
| CN103546281B (en) * | 2013-10-31 | 2016-08-17 | 厦门市美亚柏科信息股份有限公司 | Dynamic key generation method and device |
| US20150222421A1 (en) * | 2014-02-03 | 2015-08-06 | Qualcomm Incorporated | Countermeasures against side-channel attacks on cryptographic algorithms |
| FR3056789B1 (en) * | 2016-09-27 | 2018-09-21 | Safran Identity & Security | METHOD FOR ENCRYPTING OR SYMMETRICALLY DECRYPTING BY BLOCK |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2672402A1 (en) * | 1991-02-05 | 1992-08-07 | Gemplus Card Int | Process and device for generating unique pseudo-random numbers |
| US5764766A (en) * | 1996-06-11 | 1998-06-09 | Digital Equipment Corporation | System and method for generation of one-time encryption keys for data communications and a computer program product for implementing the same |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2650457A1 (en) * | 1989-07-25 | 1991-02-01 | Trt Telecom Radio Electr | METHOD FOR PROCESSING DATA BY COMPRESSION AND PERMUTATION FOR MICROCIRCUIT BOARD |
| FR2650458B1 (en) * | 1989-07-25 | 1991-10-11 | Trt Telecom Radio Electr | METHOD FOR PROCESSING IRREGULAR PERMUTATION OF ENCRYPTED PROTECTED DATA |
| US5550809A (en) * | 1992-04-10 | 1996-08-27 | Ericsson Ge Mobile Communications, Inc. | Multiple access coding using bent sequences for mobile radio communications |
| US5625690A (en) * | 1993-11-15 | 1997-04-29 | Lucent Technologies Inc. | Software pay per use system |
| US5870470A (en) * | 1996-02-20 | 1999-02-09 | International Business Machines Corporation | Method and apparatus for encrypting long blocks using a short-block encryption procedure |
| US6278783B1 (en) * | 1998-06-03 | 2001-08-21 | Cryptography Research, Inc. | Des and other cryptographic, processes with leak minimization for smartcards and other cryptosystems |
| US6327661B1 (en) * | 1998-06-03 | 2001-12-04 | Cryptography Research, Inc. | Using unpredictable information to minimize leakage from smartcards and other cryptosystems |
| FR2776445A1 (en) * | 1998-03-17 | 1999-09-24 | Schlumberger Ind Sa | Cryptographic algorithm security technique |
| JP3600454B2 (en) * | 1998-08-20 | 2004-12-15 | 株式会社東芝 | Encryption / decryption device, encryption / decryption method, and program storage medium therefor |
| JP4317607B2 (en) * | 1998-12-14 | 2009-08-19 | 株式会社日立製作所 | Information processing equipment, tamper resistant processing equipment |
-
1999
- 1999-02-17 FR FR9901937A patent/FR2789776B1/en not_active Expired - Fee Related
-
2000
- 2000-01-20 EP EP00900632A patent/EP1198921B1/en not_active Expired - Lifetime
- 2000-01-20 JP JP2000600393A patent/JP2002540654A/en not_active Abandoned
- 2000-01-20 CN CNB008063486A patent/CN100393029C/en not_active Expired - Lifetime
- 2000-01-20 AU AU30575/00A patent/AU3057500A/en not_active Abandoned
- 2000-01-20 DE DE60027163T patent/DE60027163T2/en not_active Expired - Lifetime
- 2000-01-20 MX MXPA01008201A patent/MXPA01008201A/en active IP Right Grant
- 2000-01-20 US US09/913,884 patent/US7471791B1/en not_active Expired - Fee Related
- 2000-01-20 ES ES00900632T patent/ES2262502T3/en not_active Expired - Lifetime
- 2000-01-20 WO PCT/FR2000/000130 patent/WO2000049765A2/en active IP Right Grant
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2672402A1 (en) * | 1991-02-05 | 1992-08-07 | Gemplus Card Int | Process and device for generating unique pseudo-random numbers |
| US5764766A (en) * | 1996-06-11 | 1998-06-09 | Digital Equipment Corporation | System and method for generation of one-time encryption keys for data communications and a computer program product for implementing the same |
Non-Patent Citations (2)
| Title |
|---|
| METHOD FOR OBTAINING CRYPTOGRAPHICALLYSTRONG 8X8 S-BOXES. YI X ET AL.IEEE TELECOMMUNICATIONS CONFERENCE. 1997 |
| METHOD FOR OBTAINING CRYPTOGRAPHICALLYSTRONG 8X8 S-BOXES. YI X ET AL.IEEE TELECOMMUNICATIONS CONFERENCE. 1997 * |
Also Published As
| Publication number | Publication date |
|---|---|
| US7471791B1 (en) | 2008-12-30 |
| ES2262502T3 (en) | 2006-12-01 |
| DE60027163D1 (en) | 2006-05-18 |
| MXPA01008201A (en) | 2003-07-21 |
| CN1630999A (en) | 2005-06-22 |
| EP1198921B1 (en) | 2006-04-05 |
| WO2000049765A2 (en) | 2000-08-24 |
| FR2789776A1 (en) | 2000-08-18 |
| DE60027163T2 (en) | 2007-03-29 |
| JP2002540654A (en) | 2002-11-26 |
| WO2000049765A3 (en) | 2002-02-28 |
| EP1198921A2 (en) | 2002-04-24 |
| FR2789776B1 (en) | 2001-04-06 |
| AU3057500A (en) | 2000-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101006677B (en) | Method and device for carrying out a cryptographic calculation | |
| CN101206816B (en) | Operation processing apparatus, operation processing control method | |
| AU2016386405B2 (en) | Fast format-preserving encryption for variable length data | |
| EP1873671B2 (en) | A method for protecting IC Cards against power analysis attacks | |
| KR100674550B1 (en) | Information processing equipment | |
| EP1308885B1 (en) | Information processing and encryption unit | |
| US8000473B2 (en) | Method and apparatus for generating cryptographic sets of instructions automatically and code generator | |
| CN100393029C (en) | Method for countermeasure in an electronic component using a secret key algorithm | |
| US20120093308A1 (en) | Apparatus and method for generating random data | |
| US20090245510A1 (en) | Block cipher with security intrinsic aspects | |
| Meijer et al. | Ciphertext-only cryptanalysis on hardened Mifare classic cards | |
| US6820814B1 (en) | Countermeasure method in an electric component using a secret key cryptographic algorithm | |
| Jain et al. | Implementation of hybrid cryptography algorithm | |
| Zeyad et al. | Another look on bucketing attack to defeat white-box implementations | |
| Dmukh et al. | Modification of the key schedule of the 2-GOST block cipher and its implementation on FPGA | |
| CN1319312C (en) | Countermeasure method in electronic component using secret key cryptographic algorithm | |
| EP3662613A1 (en) | Method to secure a software code performing accesses to look-up tables | |
| Bulygin et al. | Study of the invariant coset attack on printcipher: more weak keys with practical key recovery | |
| EP3913509A1 (en) | Method to secure computer code | |
| Golić | DeKaRT: A new paradigm for key-dependent reversible circuits | |
| US7747012B2 (en) | Process of security of an electronic unit with cryptoprocessor | |
| JP2006025366A (en) | Encryption apparatus and semiconductor integrated circuit | |
| US20190384894A1 (en) | Intrinsic authentication of program code | |
| JP4003723B2 (en) | Information processing equipment, tamper resistant processing equipment | |
| Andraşiu et al. | Evaluation Of Cryptographic Algorithms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: JIN YATUO Free format text: FORMER OWNER: GEMPLUS CO. Effective date: 20120828 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C56 | Change in the name or address of the patentee |
Owner name: SETEC OY Free format text: FORMER NAME: JIN YATUO |
|
| CP01 | Change in the name or title of a patent holder |
Address after: East France Patentee after: GEMALTO OY Address before: East France Patentee before: Jin Yatuo |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20120828 Address after: East France Patentee after: Jin Yatuo Address before: French gemenos Patentee before: GEMPLUS |
|
| CX01 | Expiry of patent term |
Granted publication date: 20080604 |
|
| CX01 | Expiry of patent term |